Technology Lab —

Sober algorithm cracked

Finally, after 2 years, the Sober random-URL-generating algorithm has been …

For over two years, the Sober worm has continued to caused headaches for Windows IT departments due to its unique design. In fact, to this date Sober is still responsible for almost 40% of all infections recorded by security firm F-Secure. After a Sober variant is activated the worm attempts to download and run a file from a website. The reason Sober has been so successful is because it doesn't rely on a static URL, but rather it utilizes an algorithm to create semi-random URLs that change based on the date. The generated URLs all point to free hosting servers that are generally located in Germany or Australia. The tricky part? 99% of these URLs don't exist.

Whenever the virus author wants to activate the worm he simply registers the URL with the free host, uploads the program and sits back to enjoy the ensuing havoc. The only way to block Sober was to crack the algorithm being used to generate the URLs. It took them almost two years, but the F-Secure team was finally able to do it.

So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically(sic) then - we didn't want to fill in the virus writer on this. But he must know this by now.

Even with the algorithm cracked, it is still a manual process to block the URLs, and since they change every 14 days, it will be an ongoing process for the IT department. For those interested in the URLs, they can be found in the link above.